logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Format strings vuln in CGIwrap
Date: 2003-04-23

Author : b0f www.b0f.net <b0fnet@yahoo.com>

A locally and possibly remotely exploitable format
strings bug exists
in cgiwrap available from
http://cgiwrap.sourceforge.net/
http://sourceforge.net/projects/cgiwrap
http://www.freebsd.org/ports/security.html

I. BACKGROUND

This is CGIWrap - a gateway that allows more secure
user access to
CGI programs on an HTTPd server than is provided by the
http server
itself. The primary function of CGIWrap is to make
certain that
any CGI script runs with the permissions of the user
who installed
it, and not those of the server.

CGIWrap works with NCSA httpd, Apache, CERN httpd,
NetSite Commerce
and Communications servers, and probably any other Unix
based web
server software that supports CGI.

II. DESCRIPTION

On line 91 of msgs.c the printf() function is used
incorrectly. Which
results
in a format strings vulnerability.
<snip>
void MSG_Error_General(char *message)
{
MSG_Header("CGIWrap Error", message);
printf(message);
MSG_Footer();
exit(1);
}
</snip>

The binaries in cgiwrap, (cgiwrap and nph-cgiwrap) are
installed setuid
root.
Thus could make this format problem exploitable locally
to gain root
privs or
possably remotely to gain root or the privs of the user
who owns the cgi
script.

III. ANALYSIS
An attacker could exploit this issue to escalate privs
locally or
remotely on
a server running cgiwrap.

IV. DETECTION

This is vulnerable in the latest version of cgiwrap
version 3.7.1 and
properly
older versions(not checked). It would be exploitable on
any Linux/Unix
based OS
running cgiwrap

V. VENDOR
The vendor has not been contacted about this issue.

Regards
b0f (Alan M)
www.b0f.net



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy